Ask Ars: What’s the difference between the old and new tracking systems on iOS?

Confused about the differences between UDID and IDFA? We have answers.

You want to opt out of targeted ads? Jabba would hate to give up one of his favorite decorations.

Aurich Lawson

In 1998, Ask Ars was an early feature of the newly launched Ars Technica. Now, as then, it's all about your questions and our community's answers. We occasionally dig into our question bag, provide our own take, then tap the wisdom of our readers. To submit your own question, see our helpful tips page.

There has been a lot of talk lately about Apple's new user tracking system introduced with iOS 6—but certainly not from Apple. The company has stayed largely mum on the user side when it comes to how it's helping app makers and advertisers track information about iPhone, iPad, and iPod touch users, leading some around the Web to panic over privacy. As usual, the actual situation is more nuanced than what some would have you believe, but it's worth being educated about what's going on so you can decide how to handle your own privacy decisions.

We've been receiving reader questions lately about Apple's recent changes—here are some answers to the most common questions.

What was the UDID and why did Apple stop using it?

The UDID, or Unique Device Identifier, is a 40-character string that uniquely identifies a specific iOS device, similar to a serial number. The UDID has been used for many things in the past, including connecting your device to an iOS Developer account for iOS beta releases, connecting your device to your Apple ID so that you can reinstall App Store purchases or re-download music, connecting your device to iMessage so you can receive messages at multiple locations, and so on.

Those are all still legitimate uses for the UDID—mainly because it's Apple who is using that information. But until the release of iOS 6 in September, UDIDs were also used by advertisers and third-party developers in order to collect user data—this was mostly so they could offer targeted advertisements, but some also used the UDID for their own Game-Center-like networks.

We wrote an Ask Ars about the UDID back in September of 2012 with even more details about its uses and why Apple decided to deprecate it—at least when it comes to third parties. But the general gist is that although the UDID could have been used as a semi-anonymous token to track users, many developers ended up connecting UDIDs with users' real names, addresses, phone numbers, and other information. And when that data was correlated together, it could have been used to actually identify a particular user—in fact, security researchers issued a paper in 2010 showing that plenty of third-party apps transmitted users' UDIDs back to their own servers along with personally identifying information.

That's part of why Apple decided to deprecate the use of UDIDs with the release of iOS 5 in October of 2011, and started rejecting apps that made use of the UDID earlier this year. But Apple's action in discouraging the use of UDIDs came too late to avoid a UDID-related privacy nightmare.

Anonymous-offshoot group AntiSec released a list of one million UDIDs in September, with many attached to full names, cell phone numbers, and home addresses. At the time, AntiSec claimed the list came from a hacked FBI laptop, but that claim was soon debunked by digital publishing firm BlueToad, who verified that the list came from its own hacked system. BlueToad itself is not a widely recognized name, but it created apps for other companies, such as Variety Magazine, Modern Luxury, Arhaus, and others—like other publishers, it too collected UDIDs and personal information from the users of those apps.

AntiSec's release of the UDID list came nearly a year after Apple first told developers it was deprecating the use of the UDID by third parties, but the incident shows why app makers and advertisers shouldn't have had access to the UDID in the first place. There was no way for users to disassociate the UDID from their devices or turn off any kind of tracking, which is why it's a good thing that it's no longer in use.

Now I hear there's something new. Did Apple lie about getting out of the tracking game?

This is the area where there's been some misinformation floating around. By the wording of this Slashdot post and its accompanying post on Sophos, you might have been led to believe that Apple had sworn off user tracking, only to slyly sneak it back in. "Apple got caught with its hand in the cookie jar… Enough is enough, right? Well, maybe not," wrote Sophos this week.

That's not exactly the case. Ever since Apple began rejecting apps that made use of the UDID earlier this year, it had been suggested that the company was working on offering some other way for developers to track users. Rumors about the new identifier began circulating in June—around the same time developers began talking about Apple's new Identifier for Advertising, or IDFA. And in September, when Apple issued a statement over the AntiSec leak, the company publicly acknowledged that a new tracking system was on the way: "[W]ith iOS 6 we introduced a new set of APIs meant to replace the use of the UDID and will soon be banning the use of UDID," Apple spokesperson Natalie Kerris said at the time.

So, it was no secret that the UDID was going to be replaced with something else, and that alternative was expected to be more privacy-conscious. Now that iOS 6 is out and available to the public, the new IDFA is indeed in place, and advertisers have already been using it to track you on your iPad, iPhone, or iPod touch. Surprise!

How does the IDFA differ from the UDID?

Advertisers largely use the two IDs in the same way, but there are a few key differences between them that affect both users and advertisers.

On the user side, the UDID was not something you could control or limit in any way—advertisers who wanted to grab it could easily do so without your permission or knowledge, and there was nothing you could do about it. The IDFA differs from that because you can control it on the user end; if you don't want your browsing habits tracked, you can flip it off (see how in the next question). Additionally, as pointed out by Sophos, the IDFA "can't be traced back to individuals, it merely links a pattern of online behavior with a specific device."

On the advertiser end, the IDFA acts as a persistent cookie that won't be cross-contaminated. This is better for them because if you sell your old iPod touch to someone else and buy a new one, your UDID might change and an advertiser might think you're an entirely different user. (Not to mention that your old UDID is now being used by someone new, so any advertising info that was previously attached to your UDID is now being targeted toward a different person.) Because the IDFA divorces itself from the UDID, it can be reset with a new device and there won't be any crossing of the streams when it comes to ad targeting.

How can I control how the IDFA tracks me?

Find this under Settings > General > About > Advertising.

So you don't like targeted ads—that's fair. If you're running iOS 6, the IDFA is turned on by default, but it's easy to turn it off. On your iOS device, go into Settings > General > About > Advertising and flip the "Limit Ad Tracking" switch to "on." It will be set to "off" by default—the wording is somewhat confusing, because it makes you think the ad tracking is off, but actually it means that your limitation of the ad tracking is off. Tricky tricky, Apple.

47 Reader Comments

the wording is somewhat confusing, because it makes you think the ad tracking is off, but actually it means that your limitation of the ad tracking is off.

That, combined with the placement, makes me think Apple isn't acting in 100% good faith with this system. When was the last time you saw a useful setting under an "About" tab? Every program/device I know of uses that for two things: information about software versions (and hardware, for physical devices), and for getting software updates. To put settings under an "About" tab is implicitly taboo in interface design, and to put a privacy setting there (hardware controls, maybe, but not a tracking setting) even more so.

That and reversing the word order so that "Off" turns it on, and "On" turns it off, is a little slimy.

No, you cannot disable all ads altogether, because a lot of applications rely on them for funding. Creating an easy way to get rid of all ads would alienate Apple's free (as in free beer) software developer community.

I didn't think the word order was confusing. I would have never gone into the About section though, let alone if I was actually looking for the option that I didn't know existed. There's a Privacy section, why is it not in there if the idea wasn't to make it hard to find?

Sometimes I feel like I'm the only one that wants targeted advertising. I never want to see a Tampon commercial ever again and I'd give them my DNA if that is what it took. So please, bring on the targeted advertising.

E: I am glad they have an option for people to turn it off and it should be less confusing. I'm surprised it isn't under privacy.

What if you don't like ANY ads? Is there anything available on ios to block/disable trackers and ads completely?

Some firmwares like DD-WRT and Tomato allow you to run scripts on bootup that allow you to block common sources of advertisements. But as others pointed out, these adverts help pay for the products you often can get for free.

I didn't think the word order was confusing. I would have never gone into the About section though, let alone if I was actually looking for the option that I didn't know existed. There's a Privacy section, why is it not in there if the idea wasn't to make it hard to find?

I agree with you there. It should be in Privacy for sure. Whether its current placement is actually malicious intent or not is hard for me to guess. I wouldn't be surprised to see it move to Privacy in a future update.

I'm somewhat confused how this solves the correlation between a unique user identifier and real user information problem though. If you're still using it as the primary key into an index of real user data (which was the problem with UUID) then you're going to get the same problem. I'm sure Apple has thought of a way to prevent this somehow, but this article does nothing to explain how the problem is actually solved as is. It just talks about replacing one unique identifier with another.

the wording is somewhat confusing, because it makes you think the ad tracking is off, but actually it means that your limitation of the ad tracking is off.

That, combined with the placement, makes me think Apple isn't acting in 100% good faith with this system. When was the last time you saw a useful setting under an "About" tab? Every program/device I know of uses that for two things: information about software versions (and hardware, for physical devices), and for getting software updates. To put settings under an "About" tab is implicitly taboo in interface design, and to put a privacy setting there (hardware controls, maybe, but not a tracking setting) even more so.

That and reversing the word order so that "Off" turns it on, and "On" turns it off, is a little slimy.

Disclaimer: yes, I dislike Apple, so yes, I am biased.

The wording seems fine to me; I wouldn't be confused by it. But I agree that putting the setting in an about screen seems fishy. Who puts configuration options in an about screen?

This is especially odd considering the effort Apple normally puts into having a very well organized and user-friendly UI.

'Additionally, as pointed out by Sophos, the IDFA "can't be traced back to individuals, it merely links a pattern of online behavior with a specific device."'

How is this possible? If the IDFA can track a specific device, and the company has my name through any means (such as because I installed their app), doesn't that mean the IDFA can be linked to me? How is this prevented? I haven't seen any mention anywhere of how they are keeping external data linking from occurring.

I personally think that each app/domain/whatever should get its own IDFA from the user, so that can't cross-correlate between different sites/apps/etc. Of course, the advertisers wouldn't like that, because they want to build a profile of everything about you.

Thanks for the article. I didnt realize that switch was there. But the wording is clear - at least to me. but what you didn't include is anything about the consequenses or turning it off or on. If I disable the tracking, who is affected? Developers, in any way? If I leave it on, who benefits?

I didn't think the word order was confusing. I would have never gone into the About section though, let alone if I was actually looking for the option that I didn't know existed. There's a Privacy section, why is it not in there if the idea wasn't to make it hard to find?

This is spot-on.

The phrasing for the control seems exactly correct to me. Suggesting it's somehow confusing makes me worry about the author's attention span. Or maybe mine.

The location anywhere but under Privacy is what irritates me, bringing up "beware of leopard" memories from decades past.

I didn't think the word order was confusing. I would have never gone into the About section though, let alone if I was actually looking for the option that I didn't know existed. There's a Privacy section, why is it not in there if the idea wasn't to make it hard to find?

The question isn't "do you, a technically proficient user, find the word order confusing", the question is "will some people find the word order confusing (especially at a quick glance)"? If the answer to the latter is "yes", than it should be reworded.

But yes, the main issue is the fact it is in the "About" tab. That is literally the last place I would look for it (actually, I might never look there).

Info on the IFA from the WWDC 2012 video (Session 710 - Privacy Support in iOS and OS X):

* Standard 128-bit random UUID (with no hardware info)* Available across all applications (for example iAd uses it)* Forgotten when you Erase all Contents & Settings (a new, random UUID is generated)* Can be backed up* Cannot be restored to a different device (a new UUID will be generated)

Apple have actually created 3 different UDID replacements:

* [NSUUID UUID] for an individual app* [[UIDevice currentDevice] identifierForVendor] for an individual companies apps* [[UIDevice currentDevice] identifierForAdvertising] for advertisers to recognize the current software install on a device

'Additionally, as pointed out by Sophos, the IDFA "can't be traced back to individuals, it merely links a pattern of online behavior with a specific device."'

How is this possible? If the IDFA can track a specific device, and the company has my name through any means (such as because I installed their app), doesn't that mean the IDFA can be linked to me? How is this prevented? I haven't seen any mention anywhere of how they are keeping external data linking from occurring.

I personally think that each app/domain/whatever should get its own IDFA from the user, so that can't cross-correlate between different sites/apps/etc. Of course, the advertisers wouldn't like that, because they want to build a profile of everything about you.

Yes, exactly this. Any ID is semi-anonymous at best. Privacy leaks can be addressed by creating a unique ID based on the combination of user and app/domain. It's still identifying, but only in the context of that one domain.

But without that limit, it's just like UDID in that content producers can create indexes matching up UDID with identifying information.

My understanding is that boolean settings in iOS are almost always worded in the positive, where "ON" turns something on and vice-versa. I've seen two exceptions in Apple-created iOS software:

• Airplane Mode, in Settings• Hide from Followers, in Find My Friends

Both of these are situations where turning the switch "ON" actually disables something, and both of them use an orange background for the ON position rather than a blue one. It seems to me that "Limit Ad Tracking" should have the same coloration.

...If the IDFA can track a specific device, and the company has my name through any means (such as because I installed their app), doesn't that mean the IDFA can be linked to me? How is this prevented? I haven't seen any mention anywhere of how they are keeping external data linking from occurring. ...

You can't prevent external linking if there's any kind of login; once you've logged in and an app has access to the internet it can always "phone home" and send whatever UUID is generated (even if each UUID is unique and not shared) to a central server. The company can then always follow you across different devices.

The way it can be read is also a bit questionable. It doesn't say it stops ad tracking, just that it limits it. What are those limits? I realize I could be reading more into it than is really there, but in my experience companies word things the way they do for very specific reasons.

Lets face it, you can count usefull free applications using only your fingers. And when I say "free" I mean totally free (like Overlook Fing), not those "free" but useless until you unlock features with "In-App Purchases".

What I am saying is that showing (shoveling?) ads, targeted or otherwise does not bring any benefits for the users -- they should stop attempting to disguise spying under the premise (and promise) of free stuff.

One can still generate a device-specific unique identifier under iOS 6 by using the MAC address of en0. It's a stupid thing to do (especially with all the great new APIs listed above by @Robotic Cat) but it's possible. I'm sure this is also possible on Android and other mobile operating systems.

If the user has limited ad tracking, use the advertising identifier only for the following purposes: frequency capping, conversion events, estimating the number of unique users, security and fraud detection, and debugging.

So if you turn on "limit ad tracking", does it go back to the old UDID method? Or is nothing at all given to the apps?

Limit Ad Tracking sets a flag in the ASIdentifierManager used by iOS developers. It will have its "advertisingTrackingEnabled" flag set to "NO." This means that developers should not use the advertisingIdentifier for the purpose of targeting ads (but may use it for other purposes, such as frequency capping, diagnostics, counting users, and security).

This means that if an advertiser really wants to, they can grab your advertising identifier even if you have set Limit Ad Tracking turned on. They would be in violation of Apple's policy, however, and if Apple ever found out they would be potentially be in line for a ban from the App Store.

A programmer is supposed to to check first if IDFA is enabled for advertising purposes before attempting to use it in that way.

the wording is somewhat confusing, because it makes you think the ad tracking is off, but actually it means that your limitation of the ad tracking is off.

That, combined with the placement, makes me think Apple isn't acting in 100% good faith with this system. When was the last time you saw a useful setting under an "About" tab? Every program/device I know of uses that for two things: information about software versions (and hardware, for physical devices), and for getting software updates. To put settings under an "About" tab is implicitly taboo in interface design, and to put a privacy setting there (hardware controls, maybe, but not a tracking setting) even more so.

That and reversing the word order so that "Off" turns it on, and "On" turns it off, is a little slimy.

Disclaimer: yes, I dislike Apple, so yes, I am biased.

I agree this is very strange for a setting to be under the About tab. If I would not have read this article I never would have guessed that a privacy setting would be there. Apple needs to knock this kind of crap off...

RE: "… the wording is somewhat confusing, because it makes you think the ad tracking is off, but actually it means that your limitation of the ad tracking is off. Tricky tricky, Apple."

REPLY: There's nothing confusing about this setting.

Just as "Speed Limit" doesn't mean "STOP!" It means drive at or below the posted "Limit." And, "Limit Ad Tracking" set to "on" means that ads will still occur, but the number of ads will occur at or below a "Limit."

Likewise, "Limit Ad Tracking" set to "off" will NOT "Limit" the number of ads, but will keep the ads coming all day long.

"A user typically reads the text in a dialog box until it becomes familiar and then relies on visual cues, such as button names or positions, to respond. Names such as Save, Quit, and Erase Disk allow users to identify and click the correct button quickly. These words are often more clear and precise than names such as OK, Yes, and No. If the action can’t be condensed into a word or two, OK and Cancel or Yes and No may serve the purpose. If you use these generic words, be sure to phrase the wording in the dialog box so that the action the button initiates is clear."

This article completely ignores any privacy concerns from the user viewpoint. She actually mocks the user base for getting upset that Apple had turned on, without any notice or announcement, tracking and that it was an opt-out system.

She points out that (stop the presses) Slashdot got a story wrong, is that your basis for "mocks the user base"?